views:

66

answers:

1

I'm not sure if this is possible at the application layer. Can a program be written to read and analyze packets (maybe interfacing with wireshark through it's lua api) and ban MAC addresses with suspicious network traffic? (defining suspicious network traffic as packet injection patterns similar to known attacks)

A: 

You would need a combination libnetfilter_queue & iptables rules. libnetfilter_queue, through an Iptable rule, would give you all the packets (in userspace) which were queued by kernel packet filter. It would then wait for you to send a verdict for the packet.

Once you have netfilter_queue installed and have written a listening userland application, run an iptable rule like

iptable -t mangle -A PREROUTING -i eth0 -j NFQUEUE --queue-num 0

A word of caution,this will give you all the packets and the kernel would then wait for you to give a verdict or if no user land application is running will just drop it.You can set iptables rule at various levels of granularity like src IP, protocol etc.

Once you have determined that the a particular MAC address has to be banned, run an iptables rule like (from your userland application you can use system() to run this iptable rule)

iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

An example program on netfilter_queue is here to get you started. Hope it helps.

Another caution : Read up on iptables or ask at serverfault. There are multiple tables involved (input, output, mangle,prerouting,forward,nat etc) and I may be wrong to suggest mangle table for the iptable rule.

Aditya Sehgal